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TUNNELING NON-HTTP TRAFFIC THROUGH A REVERSE PROXY 
RACKGROUND OF THE INVENTION 
Statement of the Technical Field 

The present invention relates to the field of network connectivity and multimedia 
protocols and more particularly to managing connectivity through a reverse proxy. 
Description of the Related Art 

The rapid development of the Internet has led to advanced modes of 
communication and collaboration. Using the Internet as a backbone, individuals 
worldwide can converge in cyberspace to share ideas, documents and images in a 
manner not previously possible through conventional telephony and video conferencing. 
To facilitate collaboration over the Internet, a substantial collection of technologies and 
protocols have been assembled to effectively deliver audio, video and data over the 
single data communications medium of the Internet. Nevertheless, the real-time 
delivery requirements of audio and video have strained the infrastructure of the Internet 
in its ability to support multimedia collaboration. 

Along with the dramatic rise in Internet usage over the past decade, a 
correspondingly dramatic increase in hacking and unauthorized accessing of data over 
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the Internet has been observed. In response, contemporary network architecture theory 
incorporates network elements tasked with the security of discrete portions of the 
Internet. Typical network elements include firewalls, SOCKS proxies, hypertext transfer 
protocol (HTTP) proxies, network obfuscation units such as network and port address 
translation, and the like. The use of these network elements, however, can complicate 
the accommodation of collaborative computing technologies. In particular, the 
disposition of a security device in the path of real-time data transmissions can interrupt 
if not completely block the flow of the real-time data from source to sink. 

One type of network security element, the reverse proxy, can be used to protect 
a cluster of servers from discretionary access by clients residing in the Internet. The 
reverse proxy can protect the cluster of servers by forcing external clients to connect to 
individual servers within the cluster only through the reverse proxy. The reverse proxy 
itself can manage authentication, address translation and monitoring of data flowing 
through the reverse proxy in order to ensure protocol integrity. In this regard, the 
reverse proxy only can support the HTTP protocol. 

It can be quite complicated to exchange audio and video data media streams 
between client and server devices on opposite sides of a reverse proxy. As it is well 
known in the art, generally reverse proxies only permit HTTP traffic to flow through. 
Consequently, some have utilized HTTP tunneling to push non-HTTP data through a 
reverse proxy while complying with the HTTP requirement of the reverse proxy. In 
further illustration, Figure 1 is a schematic illustration of a system incorporating an 
HTTP tunnel through a reverse proxy. Specifically, as shown in Figure 1 , a reverse 
proxy 130 can be disposed between a client computing device 110 and a server 
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computing device 120 communicatively coupled to one another over the data 
communications network 140. The reverse proxy 130 can include an address mapping 
table 150 for associating incoming requests to specific back-end server computing 
devices protected by the reverse proxy 130. 

An HTTP tunnel 180 can be established first by initiating a connection commonly 
used for secured sockets layer (SSL) connection with the reverse proxy 130. 
Specifically, the client computing device 1 10 can forward an HTTP-CONNECT message 
170 to the reverse proxy 130 responsive to which the reverse proxy 130 can accept the 
connection from the client computing device 110. The open connection can be referred 
to as an HTTP tunnel 180 in as much as HTTP traffic 190 encapsulating non-HTTP data 
can be routed via the reverse proxy 130 through the tunnel 180 to the server computing 
device 120. 

Once the tunnel has been established, the reverse proxy 130 will ignore the 
HTTP traffic 190, even though the HTTP traffic 190 contains non-HTTP data because in 
accordance with the SSL session, the HTTP traffic 190 will be encrypted and 
unrecognizable to the reverse proxy 130. Still, while HTTP tunneling can be beneficial 
for many applications, HTTP as a protocol suffers from substantial latency issues. Time 
sensitive applications such as real-time media processing, however, cannot tolerate the 
latencies associated with HTTP. Thus, HTTP tunneling real-time media streams such 
as audio and video through a reverse proxy simply is not an option in most cases. 
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SUMMARY OF THE INVENTION 

The present invention addresses the deficiencies of the art in respect to HTTP 
tunneling and provides a novel and non-obvious method, system and apparatus for 
tunneling non-HTTP data streams through a reverse proxy. In a preferred aspect of the 
present invention, a method for tunneling non-HTTP data streams through a reverse 
proxy can include soliciting a connection with a reverse-proxy protecting a back-end 
server computing device and establishing a connection with the back-end server 
computing device via the reverse proxy. Responsive to establishing the connection, the 
connection can be maintained in order to exchange non-HTTP data over the 
connection. Significantly, and unlike prior art HTTP tunneling implementations, in the 
present invention, the non-HTTP data can be exchanged over the secured connection 
without encapsulating the non-HTTP data within HTTP messages. 

More particularly, the soliciting step can include requesting a secured sockets 
layer (SSL) connection with the reverse proxy. Subsequently, the SSL connection can 
be completed with the reverse proxy through a handshaking process. The requesting 
step itself can include acquiring an address for the reverse proxy and a port for 
establishing an SSL connection with the reverse proxy. Additionally, an address for the 
back-end server computing device and a port for establishing an SSL connection with 
the back-end server computing device can be acquired. Once the addresses and ports 
have been acquired, an HTTP-CONNECT message can be formulated using the 
acquired addresses and ports. Finally, the formulated HTTP-CONNECT message can 
be written to the reverse proxy. 
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The method of the invention can have particular application to the exchange of 
real-time streaming media which cannot be passed through the reverse proxy in an 
HTTP tunnel. In this regard, the exchanging step can include formatting a buffer with 
real-time data and writing the buffer to the connection. Additionally, to ensure only 
authorized access to the server computing device, the method can further include the 
step of performing authentication in the reverse proxy as a condition of establishing the 

secured connection. 

In a system for tunneling non-HTTP data streams through a reverse proxy, a 
reverse proxy can be disposed between a client computing device and a server 
computing device in a computer communications network. An authentication process 
can be configured for operation in conjunction with the reverse proxy. Moreover, a 
communications socket such as an SSL link can be established between the reverse 
proxy and the client computing device. Finally, a non-HTTP data handler can be 
coupled to the communications socket and programmed to write non-HTTP data to the 
reverse proxy without encapsulating the non-HTTP data within HTTP messages. In a 
preferred aspect of the invention, the server computing device can be a real-time 
streaming media server, the non-HTTP data handler can be a real-time streaming 
media client, and the non-HTTP data can be real-time streaming media. 

Additional aspects of the invention will be set forth in part in the description which 
follows, and in part will be obvious from the description, or may be learned by practice 
of the invention. The aspects of the invention will be realized and attained by means of 
the elements and combinations particularly pointed out in the appended claims. It is to 
be understood that both the foregoing general description and the following detailed 
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description are exemplary and explanatory only and are not restrictive of the invention, 
as claimed. 
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BRIEF DESCRIPTION OF THE DRAWINGS 
The accompanying drawings, which are incorporated in and constitute part of the 
this specification, illustrate embodiments of the invention and together with the 
description, serve to explain the principles of the invention. The embodiments 
illustrated herein are presently preferred, it being understood, however, that the 
invention is not limited to the precise arrangements and instrumentalities shown, 
wherein: 

Figure 1 is schematic illustration of a reverse proxy disposed within a client- 
server system configured for HTTP tunneling in accordance with the known art; 

Figure 2 is schematic illustration of a reverse proxy disposed within a client- 
server system configured for non-HTTP tunneling in accordance with the present 
invention; and, 

Figure 3 is a flow chart illustrating a process for establishing a non-HTTP tunnel 
through a reverse proxy in the system of Figure 2. 
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DFTAILED DESCRIPTION OF THF PREFERRED EMBODIMENTS 
The present invention is a method, system and apparatus for tunneling non- 
HTTP streams through a reverse proxy. In accordance with the present invention, a 
socket connection can be established with a reverse proxy. Based upon the 
establishment of the socket connection, the socket can be passed to a non-HTTP data 
stream handler. The non-HTTP data stream handler can maintain the open socket 
connection and can write non-HTTP data streams over the socket without encapsulating 
the non-HTTP data within an HTTP message. The non-HTTP data stream handler can 
continue to exchange the non-HTTP data over the open socket until finished. 
Subsequently, the non-HTTP data stream handler can close the socket. 

To further illustrate, Figure 2 is schematic illustration of a reverse proxy disposed 
within a client-server system configured for non-HTTP tunneling in accordance with a 
preferred aspect of the present invention. As shown in Figure 2, a reverse proxy 230 
can be disposed between a client computing device 210 and a server computing device 
220. The client computing device 210 can be communicatively linked to the reverse 
proxy 230 over the data communications network 240. In the preferred aspect of the 
invention, albeit a non-exclusive aspect of the invention, the server computing device 
220 can be a media server associated with a Web conferencing engine and the client 
computing device 210 can be a media client configured to interact with the Web 

conferencing engine. 

The reverse proxy 230 can include both an address mapping table 250, and an 
authentication process 260. The address mapping table 250 can include proxy rules for 
routing incoming requests to appropriate back-end servers protected by the reverse 
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proxy 230. In this regard, the address mapping table 250 can include proxy rules for 
routing requests intended for the server computing device 220 to the server computing 
device 220. The authentication process 260, by comparison, can include logic for 
authenticating the client computing device 210 and for applying access restrictions to 
the server computing device 220 based upon the identity of the client computing device 
210. 

Importantly, a communications socket 280 can be established between the client 
computing device 210 and the reverse proxy 230. In particular, the communications 
socket 280 can be created by way of an HTTP-CONNECT request issued by the client 
computing device 210 to the reverse proxy 230. In response to the HTTP-CONNECT 
message, the reverse proxy 230 can authenticate the client computing device 210 and a 
socket 280 can be established between the client computing device 210 and the 
reverse proxy 230. Notably, unlike prior art tunneling methodologies known in the art, in 
the present invention, the socket 280 can be used nakedly in the absence of HTTP 
messages to exchange non-HTTP data streams 290 between the client computing 
device 210 and the server computing device 220 through the reverse proxy 230. 

To better illustrate the operation of the system of the invention, Figure 3 is a flow 
chart illustrating a client process for establishing a non-HTTP tunnel through a reverse 
proxy in the system of Figure 2. Beginning in block 31 0, the address of the reverse 
proxy can be acquired as can the port of the reverse proxy through which a secured 
connection such as an SSL connection can be established. Moreover, the address of 
the back-end server can be acquired as can the port of the back-end server through 
which a secured connection such as an SSL connection can be established. In both 
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cases, generally, port 443 can be used to establish an SSL connection as it is known in 
the art. In any case, in block 320 a message can be constructed for requesting a 
secure connection, for instance an HTTP-CONNECT message. Subsequently, in block 
330 the message can be written to the reverse proxy at the acquired address and port. 

In block 340, the client process can "listen" for a response to the HTTP- 
CONNECT message. If in decision block 350 the reverse proxy responds so as to 
complete a handshaking processes necessary to establish a connection such as an 
SSL connection, in block 360 a handle to the established connection can be passed to a 
non-HTTP stream handler such as a real-time streaming media transmission process. 
In block 370, the non-HTTP stream handler can exchange non-HTTP data with the 
server through the reverse proxy over the connection without first encapsulating the 
non-HTTP data in HTTP messages. In this regard, as it is known in the art, once a 
connection has been established, a reverse proxy will not automatically close the 
connection, but will maintain the connection and will ignore data flowing through the 
connection. 

Consequently, the exchange process can continue without interference by the 
reverse proxy through decision block 380 until complete. Once complete, in block 390 
the connection can be closed and the process can terminate. The present invention 
can be realized in hardware, software, or a combination of hardware and software. An 
implementation of the method and system of the present invention can be realized in a 
centralized fashion in one computer system, or in a distributed fashion where different 
elements are spread across several interconnected computer systems. Any kind of 
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computer system, or other apparatus adapted for carrying out the methods described 
herein, is suited to perform the functions described herein. 

A typical combination of hardware and software could be a general purpose 
computer system with a computer program that, when being loaded and executed, 
controls the computer system such that it carries out the methods described herein. 
The present invention can also be embedded in a computer program product, which 
comprises all the features enabling the implementation of the methods described 
herein, and which, when loaded in a computer system is able to carry out these 
methods. 

Computer program or application in the present context means any expression, 
in any language, code or notation, of a set of instructions intended to cause a system 
having an information processing capability to perform a particular function either 
directly or after either or both of the following a) conversion to another language, code 
or notation; b) reproduction in a different material form. Significantly, this invention can 
be embodied in other specific forms without departing from the spirit or essential 
attributes thereof, and accordingly, reference should be had to the following claims, 
rather than to the foregoing specification, as indicating the scope of the invention. 
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